NSA list: what you need to know about the top vulnerabilities currently targeted by Chinese hackers Part 1
In part 1 we will cover the first 10 entries on the NSA list
No 1. Pulse Secure VPN server vulnerability
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-11510 | An unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords | 10.00 | 38.46 | 2020-10-17 |
We first reported this vulnerability as a serious risk to organizations back in our "Fix now: High risk vulnerabilities at large, April 2020" blog. At that point we had given the likelihood score a rating of 38.46 and, this vulnerability had been trending at the maximum rating since November 2019. At the time only proof of concept exploits existed but we have seen this change to in the wild exploitation, and of course NSA’s no 1. on the list.
No 2. BigIP traffic management RCE
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-5902 | Remote code execution in the TMUI | 9.8 | 38.46 | 2020-10-13 |
We reported on this one in our Previous "Fix now: High risk vulnerabilities at large, October" blog. Looking at the Farsight rating, this trended around the low 10.00’s from the day after initial release (1st July) through to the 12th July when it was given the full 38.46 risk score where, for many obvious reasons, it has remained until today.
No 3. Citrix ADC directory traversal
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-19781 | Directory traversal issue which can lead to an RCE | 9.8 | 38.46 | 2020-10-18 |
We wrote about this one back in our first Farsight vulnerability blog in April. At this time the vulnerabilities likelihood was 29.15 and we reported the presence of PoC exploit code. Catapult 6 months ahead and we see this on NSA’s hacker list. Once again this demonstrates the power of Farsight in providing an early warning and prediction of exploitation.
No 4., No 5 & No 6 More Citrix ADC
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-8193 | Improper access control allows unauthenticated access to certain URL endpoints | 6.5 | 38.46 | 2020-07-14 |
| CVE-2020-8195 | Improper input validation leading to limited information disclosure | 6.5 | 9.14 | 2020-07-14 |
| CVE-2020-8196 | Improper access control leading to limited information disclosure | 4.3 | 8.92 | 2020-07-14 |
All three of these were released in July with lower likelihood scores. Of the three we have only seen CVE-0202-8193 reach the highest likelihood due to exploitation in the wild. However, these three vulnerabilities together provide a perfect storm for use in web shell malware.
No 7. Bluekeep
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2019-0708 | An RCE exists in remote desktop services of windows operating systems | 9.8 | 38.46 | 2020-10-14 |
We discussed Bluekeep in one of our introductory Farsight blogs demonstrating the power of risk based vulnerability management. In the discussion of Bluekeep we highlighted that Farsight would have rated the vulnerability a 38.46 likelihood of exploitation as early as June 2019. Over 12 months later we continue to see this being exploited in the wild.
No 8. MobileIron MDM Remote code execution
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-15505 | An RCE vulnerability allowing remote threat actors to execute arbitrary code and take control of remote company servers | 9.8 | 38.46 | 2020-09-17 |
This is the first time we have raised attention with this vulnerability here in our blog. First reported by NIST on 6th July. On the 7th this vulnerability was trending with a Farsight likelihood of 9.54 times more likely to be exploited. It hovered around this score through July until 30th September when the score jumped to 38.46 undoubtedly as the first compromises were discovered. Patch and remediation information can be found here.
No 9. SIGRed
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-1350 | A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests | 10.0 | 38.46 | 2020-10-09 |
We covered SIGRed in our July part 3 blog where we noted it had already received the highest likelihood rating possible. When it was first announced, Farsight rated this as 9.54 times more likely than the average vulnerability to be exploited, jumping to 38.46 by the 18th July.
No 10. Netlogon / Zerologon
| CVE | Description | CVSSv3 Score | Farsight Rating | Last seen (Farsight) |
|---|---|---|---|---|
| CVE-2020-1472 | An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). | 10.0 | 38.46 | 2020-10-19 |
Another vulnerability covered in our Farsight blogs, this time in our 2nd September blog. At the time it was reported as a 38.46 likelihood and looking at the Farsight prediction it received this rating around 21st September after hovering around 8.51 likelihood of exploitation for the period August through 20th September.
Wrap up
There you have it. Of the 10 / 25 of the NSA vulnerabilities covered we had specifically written about 6 of them in our blogs providing our customers with insights into the Farsight likelihood risk score as well as timely information on remediation and patch. Of the other 4, all had coverage in Farsight and were trending above the average (likelihood of 1) well in advance of any real world exploitation. A pattern we’d expect to see in the remaining 15 vulnerabilities on the NSA top 25 target list.
Our customers who have switched to Outpost24 Farsight as a driving force for their Risk based vulnerability management can rest knowing that it captures and alerts the most risky (and targeted) vulnerabilities, often ahead of any real world mass usage by threat actors. And whilst moving to likelihood could be seen as a leap of faith for those organizations who have been used to relying on CVSS. It definitely provides a peace of mind knowing you are targeting and addressing the most risky, based on real world threat intelligence and vulnerabilities existing in your infrastructure.
Next time we shall consider the remaining 15 vulnerabilities on NSA’s list.
